Description

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Remediation

References

http://gms.cl0udz.com/Openconfig_xxe.pdf

https://gerrit.onosproject.org/#/c/18894/

Related Vulnerabilities

CVE-2020-36518 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-24187 Vulnerability in maven package com.bstek.ureport:ureport2-core

CVE-2022-38900 Vulnerability in maven package org.webjars.npm:decode-uri-component

CVE-2022-25875 Vulnerability in npm package svelte

CVE-2020-7729 Vulnerability in npm package grunt

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory Issue Tracking